ICSJWG: Different Approach to Security

Wednesday, September 14, 2016 @ 11:09 AM gHale

By Gregory Hale
While security experts talk about changes needed to adjust for the advancing security threat the industry is experiencing, the mindset remains mired in the past.

“If we look at security in 2016, we really aren’t seeing the step change we thought,” said Joel Langill, ICS cyber security subject matter expert at AECOM during his keynote at the ICSJWG 2016 Fall Meeting in Ft. Lauderdale, FL, Wednesday. “The industry has to move toward a resilient architecture by creating a security risk model.”

The thinking has to be more along the lines of if a machine went away, what could happen and how could you function without it.

That can occur by creating zones to establish trust boundaries based on:
• Ability to protect legacy software
• Consequences of a breach
• Security of ingress/egress communications

Conduits, which provide the ability to communicate between zones, will be the step change in security.

“You have to manage your scope of loss,” Langill said. “If you are compromised, there should be limited opportunity to compromise other nodes. If you rob a bank you haven’t won unless you can leave with the loot.”

With today’s attack sophistication, it is inevitable hackers will get in, the issue is all about containing and mitigating. So, if an attacker gets in, you want to be able to block any egress. The idea is to contain the attack and not allow it to propagate.

“Everything has to be risk-based and you have to have a risk factor against your assets. Security is all about risk management.”

Converged Resilience
Langill based his new and different way of thinking about security not just on the cyber side, or what he calls logical security, which includes cyber and wireless, but also physical security. That is what he called converged resilience.

“It is about physical security. If you are not physically secure, then you may not be cyber secure,” he said.

Langill talked about the evolution of a physical threat in today’s world. He said it all started with box cutters on planes which led to flying into buildings and that created the Transportation Security Administration (TSA) that now searches all people catching a flight. Add on top of that, the capability to create a bomb from a sports drink and some hydrogen peroxide, which led to the 3-1-1 rule on airplanes.

Those were physical attacks that had a cause and effect.

But in the cyber environment, we are seeing attacks, but no real change in how the industry approaches the issue.

“Antivirus is dead. Malware is able to get through it to attack a system,” Langill said. “That is not to say, a user does not need it, they just have to understand it does not have the stopping capability it had 10 years ago. The same is true of firewalls. Yes, there are some good ones out there, but they can be averted. The way of thinking is the same as it was in 1996. The way we fight threats in 2016 has to be different than the way we did it in 1996.”

With that in mind, Langill talked about some big industry cyber attacks like Stuxnet. That 2010 attack targeted ICS vendor products and system configurations. It inhibited operators from viewing the actual process and it altered PLC logic to sabotage physical process.

There are tools today that can find an attack like Stuxnet, he said, but the key to that is increasing network visibility.

He then mentioned the 2014 DragonFly attack which compromised the support portal of multiple ICS product vendors. In that attack, attackers were able to install a Trojan on the vendors’ software configurations, which users would then download and then end up a victim.

That attack was able to exfiltrate sensitive local data, gain access to remote industrial networks via VPN and network enumeration.

The DragonFly attack showed the importance of protecting and securing the supply chain.
“The supply chain is key” he said. “They went after the supply chain.”

User Reaction
The issue behind the Stuxnet and DragonFly attacks was these were assaults against ICS companies, but most end users did nothing.

The massive power outage in the Ukraine is another example of an ICS cyber incident.

On December 23, 2015 power went out for a high number of customers (reports range from 80,000 customers to 700,000 homes) in the Western region of the Ukraine served by regional power distribution companies. A picture has become clear that a coordinated attack involving multiple components took place.

That incident, Langill said, did not take advantage of any Zero Days in software, but rather leveraged weaknesses in configurations along the system.

They were able to login via remote connections and disconnect breakers along with installing destructive malware to disable selected assets.

After this blatant attack in the ICS sector, again while awareness of the assault is high, end users still did nothing.

The mindset “attacks will hit someone else and not me” has got to change along with the archaic approach the industry continues to take toward security.

“People are trying to do the same thing they have been doing in the past,” Langill said, but with a new risk-based model could give end users a fighting chance to ward off any type of attack.